I am just reading this paper which claims to be a formal proof that Cardano's latest Ouroboros PoS protocol ("Genesis") gives similar security guarantees than Bitcoin's PoW protocol. Unfortunately, it is 64 pages long and presupposes a lot of earlier work that I need to get comfortable with, as well, so even though I am relatively confident in my understanding of these things, a thorough evaluation will take me quite some time.

So I was wondering if anybody (say Andrew Poelstra, Pieter Wuille?) had already checked this out and could give their opinion. Because on one hand this is a very bold claim that would invalidate the folklore view on this topic (PoS has fundamental security issues that can't be overcome), and on the other hand the authors seem quite legit and serious in their approach.

I do realize that even if it were true, this doesn't mean that PoS is useful for bootstrapping a system like Cardano. But couldn't it be an alternative for Bitcoin, say, after another one or two halvings?

3 Answers
3

The Ouroboros line of work proves security comparable to Bitcoin's security. The proofs of security in Ouroboros are similar in style to the Backbone proofs of security, which show that Bitcoin is secure. To my knowledge, there are no alternative proofs of security for Bitcoin which are formal - these are the best results we know of that illustrate that Bitcoin is secure, beyond informal hand-wavy non-mathematical arguments (such as "but you can't find a security bug, so it must be secure").

In both of these settings, there are certain assumptions made, which are as follows:

For proof-of-work, in the first version of Backbone from 2014, Bitcoin was shown secure in a synchronous model. This model splits time into discrete portions ("rounds" in Backbone, "slots" in Ouroboros) during which the players are allowed to mine and then broadcast any blocks found throughout a round. Messages sent during a round are anonymous (i.e., unauthenticated) and can be reordered by the adversary (hence the need for a consensus protocol). The adversary is also "rushing" in that it can use its own mining power after it has observed what the honest parties have done during that same round and prior to allowing messages to travel on the network. The assumption is that no messages are lost. This is a necessary assumption to prove Bitcoin secure - if the network is split, then you can't hope for your 50/50 honest majority to continue creating the longest chain.

The synchronicity requirements were relaxed in the current version of backbone revised in 2017 in which the model is semi-synchronous. The first version of Backbone also showed that Bitcoin is secure if the difficulty is kept constant. A follow-up work on Backbone from 2016 showed that it remains secure in a variable difficulty setting. These proofs hinge on an honest majority assumption which is made precise in the papers. More precisely, it is required that the adversary has mining power which is lower than the honest mining power by a fixed constant which makes up for non-uniquely successful rounds (i.e., rounds during which multiple honest parties find a block and hence will cause a short accidental fork on the blockchain).

The assumptions in the proof-of-stake setting of Ouroboros are similar network-wise to Backbone. The model is mostly borrowed from Canetti's Universal Composability framework, in the sense that there exists an environment which can influence the execution. Proofs in the "environment-including" model are powerful in that they can speak of any execution in which the adversary is able to tell people exactly what to do beyond the requirement that the honest parties run the honest protocol. For example, the adversary can corrupt players of their choice.

In Ouroboros, the assumption which is dual to Backbone's "honest mining majority" is "honest stake majority", i.e., that at any moment in time, the majority of stake belongs to the honest parties. This is a strong assumption which may or may not hold true, so it depends on what you're willing to accept. Another assumption made in Ouroboros is that stake shifting is bounded. This seems like a reasonable assumption: It means that all money cannot change hands instantaneously. However, the construction hinges on this bound to specify the security parameters such as epoch length. In the practical system, these parameters take concrete values which allow for specific bounds to be attained.

Ouroboros Praos achieves better security guarantees than Ouroboros: It allows the adversary to corrupt any honest party instantaneously, whenever she feels she needs to. This is a strong adversary (hence the system is more secure), and is also a similar assumption to Backbone. For proof-of-stake, it's an important achievement, as the adversary could retroactively corrupt parties who were successful in staking a block so that she can create multiple competing blocks. To my knowledge, practically deployed proof-of-stake chains such as Blackcoin do not enjoy such guarantees (and really cannot make any claims, since they do not have security proofs).

Ouroboros Genesis makes the above results stronger in that the parties are dynamic (and can, e.g., go offline) and the security is proven in a stronger model.

All of these works (the proofs for both Bitcoin and Ouroboros) also use the Random Oracle assumption, which some cryptographers dislike.

All of these approaches are comparable to other lines of work such as Snow white and ALGORAND. In my opinion, Ouroboros achieves better guarantees, has good design decisions, has formal security proofs, and functions in a model that is quite similar to proof-of-work-based systems (especially Praos). It would take an extensive analysis to compare them all side-by-side.

In the end, whether you are happy with the security assumptions and threat model in these works is up to your requirements. Overall, these works achieve some good guarantees, but some results are left to be desired. For example, honest majority may hold most of the time, not all of the time, but there has been no exploration of whether security is guaranteed in these settings (neither in Bitcoin nor in Ouroboros). I do suspect that Bitcoin is more resilient to extreme conditions, but no such guarantees have been proven.

Generally, one thing to note is that these limitations/assumptions also hold for Bitcoin: The best formal proofs we have for Bitcoin work in a limited model which is close, but not exactly the same, as the real construction. To conclude, Backbone is the best analysis we have for Bitcoin, and it makes an analysis which is comparable to Ouroboros. Hence, its security guarantees do match the security guarantees we have for Bitcoin, if you equate staking honest majority with mining honest majority, at least as long as provability is required.

If you'd like to understand these papers yourself, and judge for yourself whether they achieve your desired outcomes, I recommend that you read the GKL Backbone paper first. You can read the first portion where it talks about Common Prefix, Chain Quality and Chain Growth, as well as Liveness and Persistence. Then I recommend that you read Ouroboros, maybe followed up by Ouroboros Praos. These should give you a good idea of what this line of work is about. You're right that understanding Ouroboros Genesis has a lot of prerequisites. You can get a good understanding of the results regarding the security of proof-of-stake without reading that particular paper though.

Disclaimer: I am Aggelos' PhD student (Aggelos wrote Backbone, Variable Backbone, Ouroboros, Ouroboros Praos, Ouroboros Genesis - I did not contribute to these papers); my current scientific work is used in Cardano, which is an implementation of Ouroboros. My view may be biased.

Thanks for the insight into the relevant academic work around this. One thing I struggle with is starting with the assumption that a majority of the hashrate in PoW is honest. That may be the only way to formalize security, but it seems to be a meaningless assumption; if the majority of the hashrate was truly trusted to be honest, we could just replace miners with signers and have them sign blocks. In reality, I think the true assumption is more something like "the majority acts in rational manner" - which is hard to formalize, but very different from the assumptions in PoS.
– Pieter WuilleJul 25 '18 at 22:13

@PieterWuille I agree with your point - more work is needed to formalize the incentives of the bitcoin protocol and this is a hard problem. Incentives have not been analyzed in the Backbone game, but there is an incentive analysis on a simpler game (which I find quite limiting, but it's a first attempt). One thing to note is that, in Backbone, the honest strategy cannot be incentive-compatible due to Selfish Mining. Ouroboros, however, does have an incentive analysis which proves that the honest strategy is a Nash equilibrium (section 7 of original paper)
– dionyzizJul 26 '18 at 6:40

@PieterWuille Another point regarding your comment is that we cannot really replace miners with signers, even if we do assume honest majority of PoW hashrate - because honest majority is not by key count, but by computation cycles (or queries to the Random Oracle). How would you imagine such a construction to work? Could you put forth something (roughly) in the backbone model based on signatures?
– dionyzizJul 27 '18 at 23:26

As I recall, that system's security claims assumes that the users have a synchronous network-- every message is reliably delivered in order to all users. This is a rather nonphysical assumption, the only way we know how to construct such a thing is to use some kind of consensus system. Which would make the name "Ouroboros" rather fitting. :P

If you did actually have a synchronous network, you wouldn't need any kind of POW/POS whatever, you'd just have people send their transactions and the first one sent wins. As a result under that assumption you could prove virtually any kind of system secure, even ones with absolutely no security in the real world.

Because of the long history of unclear, misleading, obfuscated, or outright dishonest claims about security from people promoting POS and other alternative consensus systems, I think most experts have for the time being run out of patience reviewing these things. I'd like to suggest that anyone who thinks they have a really good framework would do well using it to prove similar alternatives like stellar, ripple, or ethereum's-r&d insecure. I say this for two reasons: One is that if someone's framework can't prove other systems insecure, then why should we expect it to tell us if their new system is insecure? The other reason is to escape from an unscalable behavior where poorly considered schemes are thrown over the fence and saturate a limited number of people who can review them. I also think that the best informal evidence that someone is qualified to build a system is that they're able to find flaws in other systems, and without something like that its simply too hard to prioritize review over other work. This sort of activity can help clarify what properties a proposal is actually providing.

I feel your criticism of the synchronicity assumptions of Ouroboros is unfair. The synchronicity assumption in the Ouroboros papers, which carries over from the earlier Backbone paper (GKL), is not that messages are delivered reliably in order, but literally that they are reliably delivered out of order. This is made explicit in both papers: The adversary must relay messages, but can reorder them and inject new messages. Hence, your proposed protocol in which "the first transaction wins" would not lead to a protocol which achieves consensus.
– dionyzizJul 25 '18 at 20:30

Does "The adversary must relay messages, but can reorder them" correspond to any existing decenteralized communications medium in use anywhere in the world?
– G. MaxwellJul 25 '18 at 21:15

Yes - see my other answer. The assumption corresponds to the fact that the network is connected and you can reach other honest nodes. However, besides that, is there, to your knowledge, a formal proof of security for Bitcoin that makes different weaker assumptions, beyond the synchronous and semi-synchronous formalisms of Backbone and Pass/Shi? If not, why do you require this from stake systems?
– dionyzizJul 25 '18 at 21:18

3

@dionyziz I think the reality is that there is no security proof at all for Bitcoin which accurately reflects the actual assumptions made. It sounds correct that a security proof exists with similar assumptions to the best existing proof for Bitcoin-like systems - but I think the latter is meaningless. So "this system is provably as secure as Bitcoin" sounds like a disingenuous summary . It is more "this system is provably as secure as some weakened form of Bitcoin, for which a proof happens to exist".
– Pieter WuilleJul 25 '18 at 22:27

1

@PieterWuille You're right - there's no proof for the full BTC system, we only suspect it works because of empirical evidence and intuition. In that sense, we don't even know if Bitcoin works (against arbitrary adversaries). Given your experience and insight, can you help us steer research in the right direction by pointing out what assumptions in the model you would like to see weakened beyond exploring incentives? Do you have any comments on the adversary threat model and network assumptions? We can't hope the mathematical model to completely accurately reflect reality, but we can improve...
– dionyzizJul 26 '18 at 7:59

Leaking signatures is always a possibility and is implementation specific, but overwriting (and effectively nullifying the transactions) the block with sheer hashpower, which you can summon on demand isn't preventable.

You can't force or predict when a stake will occur, hence the problem.

Can you elaborate on what you mean by "hence the problem"? What problem are you referring to? Thank you :)
– dionyzizJul 25 '18 at 20:55

Obviously referring to why Proof Of Stake cannot be trusted on for security; as you can summon more hashpower (for PoW) at any given moment, however you can't do this with PoS.
– barrystyleJul 27 '18 at 13:56

I'm not sure why this is a problem. I assume that by "it can be trusted" you mean that the probability of failure is within sufficient bounds. The reason to "summon" more PoW is when an adversarial PoW is increased, and hence honest majority is in danger of being violated. In PoS you don't need to summon more stake, because the adversary cannot summon more stake. Does that make sense?
– dionyzizJul 27 '18 at 16:42

Correct, however my underlying point was that a PoS block can easily be 'overwritten' by a PoW block, or several.
– barrystyleJul 29 '18 at 1:31

I'm not sure I understand what you mean by "overwritten". Are you envisioning a system where stake and work are both used to create blocks and one is heavier than the other? Care to explain?
– dionyzizJul 29 '18 at 9:26